Ruminations

Looking Ahead

Today's blog post was not planned. It was not in the pipeline with the others. It is the byproduct of unforeseen problems that were not on our radar. Also, the amount of reading, discussions, worries and lack of sleep over the last few days. It has initiated an uncommon type of disaster recovery response: waiting patiently.

I'm a planner. Not always a good one, but I do much better when I have my all my ducks in a row. Sure, disruptions can derail my best efforts but I plan just the same. It's the nature of programmers to plan because that's how most programs work; they march along a set of planned instructions in the planned order.

I'm saving Eisenhower's quote about plans and planning for the upcoming "Pro vs Re" blog post. So why am I mentioning it now? Because even with all of the planning that people like me do we were not prepared for the Meltdown and Spectre data security issues revealed this week. But the planning we've done - especially with regards to platfom security and disaster recovery - has prepared us for our responses for this unplanned event.

Like most types of "disasters" the specter of Meltdown, and the meltdown about Spectre, have received a lot of media coverage. You can learn more about Meltdown and Spectre in this very accessible piece by Frank Breedijk. (Full disclosure, Frank is my cousin, but I’d recommend this piece even if he weren’t)

Unlike most types of "disasters", these security vulnerabilities have people like me waiting around patiently for the patches to be released. Once released, we then need to review and research their impact on the systems and platforms we support.

The system updates that will mitigate Meltdown should remove the threat completely. But they will come at cost of system performance. Slower systems and online services are inconvenient in today's "more, faster, better" world. But one of the true costs of security is convenience.

The updates that help mitigate Spectre are much more complex. These security patches will have to be made by each application vendor rather than system or platform vendors. Your primary exposure with regards to Spectre is your web browser. Any data in your browser's memory can be accessed by Spectre. This includes personal information and banking information.

Both Meltdown and Specrte are very troubling. They both threaten data security in significant ways. Of the two, you should be more worried by Spectre. Why? Because the updates that prevent Meltdown will be applied by professionals. The updates that address Spectre need to be applied by you.

There's a measure of irony in the Meltdown and Spectre vulnerabilities. They both take advantage of out-of-order and predictive processing. That's when the processor tries to get ahead of itself to provide even faster throughput. Out-of-order and predictive processing are very complex, and very effective.

Guessing, and doing things in an unplanned order, run counter to a programmer's instincts. Yet the truly brilliant electrical engineers who designed computer chips made it work. These features have been around for more than 20 years. And they have made almost all electronic devices run faster and use less energy.

So now the computer security world waits for a fix. There are no out-of-order options for us at the moment. We can try to predict what will happen. And we will plan. Then we will wait for the next major security issue.

---